OpenSSH Bravely Addresses the Quantum Threat

Post-quantum algorithms are now the default choice in OpenSSH 9.0

Duncan Jones
Cambridge Quantum


Photo by Kid Circus on Unsplash

OpenSSH has surprised and delighted the cyber world by switching to a hybrid post-quantum scheme in its latest 9.0 release. The software now uses a combination of Streamlined NTRU Prime, alongside old favourite X25519, to negotiate the session keys that protect data in transfer.

The release notes explain the rationale was to prevent “hack-now, decrypt-later” attacks, in which an attacker harvests encrypted data so they can hack it using a quantum computer in the future. Previous versions of OpenSSH were vulnerable to this type of attack because the algorithms used to negotiate encryption keys were based on mathematical problems that powerful quantum computers are expected to crack. Anyone sharing sensitive data across an OpenSSH connection was risking data exposure in 10 or 15 years when quantum computers increase in power. The Cloud Security Alliance argues this moment may come as soon as 2030.

The OpenSSH team should be applauded for taking a public stand at a time when most security products are in a holding pattern waiting for the NIST post-quantum process to complete. Although the timing of their release is surprising, with major NIST announcements expected in the days to come, it shows they value user security above the potential inconvenience of adjusting algorithms in subsequent releases.

What Is a Hybrid Crypto Scheme?

In a protocol like OpenSSH, data is encrypted using a session key known only to the sender and receiver. To securely exchange the session key, the sender and receiver perform a cryptographic handshake, which typically involves the use of quantum-vulnerable algorithms, such as RSA or ECDSA.

To defend against the quantum threat, a hybrid crypto scheme combines a quantum-vulnerable algorithm with a post-quantum algorithm to strengthen the cryptographic handshake. The resulting session key is derived from mixing key material agreed by both algorithms. To gain access to the session key, an attacker would have to break the quantum-vulnerable algorithm as well as the post-quantum algorithm. This means the session key is likely to be safe from hack-now, decrypt-later attacks.

You might wonder what happens if the post-quantum algorithm is broken in the near future, as we saw recently with Rainbow. In such instances, the security of the connection collapses back to the security of the quantum-vulnerable algorithm. This means the data is perfectly safe against today’s attackers, but potentially vulnerable to quantum attacks in the future. In short, you lose nothing by experimenting with hybrid approaches. In the worst case, you are no worse off, and in the best case, you are quantum-safe.

The main downside of hybrid approaches is that they haven’t been broadly standardised yet. This means both the sender and receiver need to be aware of the bespoke combination of algorithms being used. In the OpenSSH example, both the client and the server need to be running OpenSSH 9.0 to negotiate a quantum-safe connection. If one end is running software from a different project (i.e. not OpenSSH) or an earlier version, the connection would still be quantum-vulnerable.

What Can We Learn from This?

Quantum presents both a threat and an opportunity to cybersecurity systems, and smart companies are exploring both sides of the coin today.

OpenSSH has reminded the world that little is lost by embracing quantum-safe algorithms in an aggressive manner, provided a hybrid approach is used. If you combine these algorithms with quantum-enhanced key generation, you can catapult to the cutting edge of connection security and feel confident you’ve taken every precaution available today.

Bravo to OpenSSH for getting the ball rolling. Hopefully, other security products are poised to implement quantum-safe algorithms as soon as the NIST announcements are made.

Learn more about Cambridge Quantum’s cybersecurity products at